You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by ag...@apache.org on 2015/03/12 18:44:28 UTC
cordova-plugin-whitelist git commit: Tweak CSP examples in README
Repository: cordova-plugin-whitelist
Updated Branches:
refs/heads/master 49a8b1282 -> 255cac2f5
Tweak CSP examples in README
Project: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/commit/255cac2f
Tree: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/tree/255cac2f
Diff: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/diff/255cac2f
Branch: refs/heads/master
Commit: 255cac2f5e5fa581ccdd5595832f8b0fa758bf0c
Parents: 49a8b12
Author: Andrew Grieve <ag...@chromium.org>
Authored: Thu Mar 12 13:44:07 2015 -0400
Committer: Andrew Grieve <ag...@chromium.org>
Committed: Thu Mar 12 13:44:20 2015 -0400
----------------------------------------------------------------------
README.md | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/blob/255cac2f/README.md
----------------------------------------------------------------------
diff --git a/README.md b/README.md
index 8256b8a..61949af 100644
--- a/README.md
+++ b/README.md
@@ -103,18 +103,23 @@ On Android, support for CSP within the system webview starts with KitKat (but is
Here are some example CSP declarations for your `.html` pages:
+ <!-- Good default declaration:
+ * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
+ * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
+ * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
+ * Enable inline JS: add 'unsafe-inline' to default-src
+ * Enable eval(): add 'unsafe-eval' to default-src
+ -->
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
+
<!-- Allow requests to foo.com -->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"/>
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">
<!-- Enable all requests, inline styles, and eval() -->
- <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval' "/>
-
- <!-- Allow requests to https://ssl.gstatic.com/accessibility/javascript/android/ (required for TalkBack on Android) -->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self' https://ssl.gstatic.com/accessibility/javascript/android/"/>
+ <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'">
<!-- Allow XHRs via https only -->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"/>
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">
- <!-- Allow data: URLs within iframes -->
- <!-- Note: You would also need an <allow-navigation href="data:*" /> in your config.xml -->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' data:"/>
+ <!-- Allow iframe to https://cordova.apache.org/ -->
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org